Meeting regulatory challenges with continuous compliance

By Javid Khan, chief cloud officer, Pulsant

Financial services companies generate a lot of data. With this comes the requirement to store the data, much of which contains sensitive information and must be protected.

Adhering to the many rules and regulations such as those mandated by the Financial Conduct Authority (FCA), ISO27001, PCI-DSS and GDPR to name just a few, is an increasingly difficult challenge.

Companies within the financial services industry already adopt an approach with data at the heart of their IT strategy. But it is no longer just down to the IT department; defending this precious commodity with firewalls and intrusion detection systems. This approach will not provide you with a strategy fit for a compliance framework. The data is valuable – it can be used to improve business decisions, so you must have a handle on what information this data holds and where it is stored.

Meeting compliance requirements for all the data you hold is not easy and it can be very expensive. You need to know which data is sensitive, what regulations apply and where is it held. Not easy when data is often held in silos; it could be stored on your premises, in the cloud or it could be a real time data stream.

The challenge for CIOs, CISOs and compliance teams is to maintain the required level of data security while allowing this data to be fluid within the organisation and reducing operational costs at the same time.

Continuous compliance is a strategy which allows you to deal with these challenges.

Addressing the challenges

As new technologies emerge, businesses transform, and markets evolve, your compliance efforts may become undone. Only a continuous approach can prevent this from happening.

There are additional challenges around continuous compliance. The NIST Cybersecurity Framework, for example, has close to 400 specific requirements that need to be met. When you then consider that this is one framework of many, you start to understand the true complexity of the issue.

A lack of internal knowledge and understanding can also hamper continuous compliance efforts. IT teams may not have the right skillset to translate compliance and controls in the physical world to the virtual world.

This begs the question: How can the financial services industry overcome these challenges to successfully achieve continuous compliance in today’s ever-evolving technology landscape?

The answer depends upon individual business needs, but cloud technology can alleviate some of the burden through the elimination of hardware limitations.

Compliance in the cloud

While there are indeed technical and security-related obstacles to consider, the advantages that cloud technology has to offer from a compliance perspective certainly outweighs anything else. Businesses have already realised its potential in reducing operational complexities, and these benefits can also be transferred to the world of continuous IT compliance.

Most significantly, using cloud technology to monitor and control IT compliance offers a tremendous amount of transparency: being able to audit, query, alert and resolve any cloud infrastructure changes through virtual means is an incredibly powerful tool to have at your disposal. It can also deliver significant cost savings and streamline workflows through automating certain processes, simplifying reporting and cutting down on the number of compliance and reporting tools needed.

Looking more specifically at how this might help organisations achieve a continuous compliance approach, it largely comes down to unification. A cloud-based platform can enable businesses to integrate all its relevant compliance-based data and information into a single view, thanks to the ability to consolidate their existing management tools and their respective data sources. When implemented and configured in the right way, this can provide operators with an intuitive compliance dashboard that combines data sources from across the organisation. It also enables automation and manual remediation to fix non-conformities and further prevent breaches.

The use of cloud technology also allows organisations to continually track their infrastructures and trigger instant alerts when necessary. Using pre-defined rules and the ability to add bespoke policies, a cloud-based platform can continuously pull information and check it against the controls it has in place to identify any instances of non-conformities, which makes it simpler for any issues to be audited and resolved.

Conclusion

The financial services industry is further down the continuous compliance journey than most other industries. However, as the amount of data generated continues to grow, new regulations are as likely to follow. Compliance is an organisational commitment and as the landscape is continually shifts, organisations must anticipate the effects of these new regulations. Continuous compliance provides a framework for you to work within and respond to any changes with a level of agility and effectiveness.